Google Discloses Microsoft Edge Security Feature Bypass

Google has gone public with details about a Microsoft Edge vulnerability that attackers could abuse and bypass one of the browser’s security features —Arbitrary Code Guard (ACG).

ACG is a relatively new feature added to Edge’s security model. Microsoft added support for ACG in Edge in April 2017, with the release of the Windows 10 Creators Update.

ACG was the second of two new features that Microsoft said would prevent attackers from using JavaScript to load malicious code into a computer’s memory via Edge. Microsoft described the two new security features in a blog post last year. A summary of ACG and Code Integrity Guard (CIG) is below:

An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory. CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.

Google engineer finds ACG bypass

Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory, allowing attackers a way into Windows boxes via malicious websites loaded via Edge.

Fratric reported the issue to Microsoft last November, in a private bug report, but the deadline for fixing the bug passed.

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,” Microsoft told Fratric.

“The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th,” Microsoft added.

Second Edge bug Fratric has discovered

Details about this issue are now public. This is not the first time that Fratric has publicly disclosed a bug in Edge, doing so in February last year.